📦 Discover Your Competitors' Shopify Theme With Our Free Tool →

English only (all languages)

This Privacy Policy is published in English for every language version of our site. Whether you open it from English, German, French, Dutch, or Icelandic navigation, the legal text below is the same.

Privacy Policy

Last updated: April 20, 2026

This Privacy Policy explains how Nivk GmbH ("Nivk", "we", "us", or "our") collects, uses, shares, and otherwise processes personal data in connection with our websites, Shopify app, platform, and related services (collectively, the "Services").

This Privacy Policy applies to:

  • visitors to our websites, including nivk.com and any website that links to this Privacy Policy;
  • prospective customers and business contacts;
  • customers and their authorized users;
  • merchants who install or use our Shopify app; and
  • other individuals who interact with us in a business context.

Our Services are intended for business users only.

Shopify App Summary

Shopify App — Privacy & Compliance Summary

This summary describes how the Nivk.com Shopify app handles merchant and store data. It is provided in plain English for Shopify merchants and Shopify's App Review team. The full Privacy Policy below governs in case of conflict.

About the Nivk.com Shopify app

Nivk.com is a generative engine optimization (GEO) tool for Shopify merchants. It analyzes a store's public catalog, content, and storefront signals to help the store become more visible in AI search surfaces such as ChatGPT, Perplexity, Google AI Overviews, Gemini, and traditional ecommerce discovery. Nivk.com is an independent service and is not owned or operated by Shopify.

Shopify store data we may access

Depending on the Shopify API access scopes that you approve when installing or updating the app, Nivk.com may read information that is necessary to provide GEO recommendations, including:

  • store identifiers (shop domain, primary locale, currency, plan);
  • product and variant data (titles, descriptions, images, tags, status);
  • collections and product categorization;
  • online store pages, blog posts, and articles;
  • navigation, menus, and storefront metafields used for SEO/GEO;
  • theme metadata required to evaluate public storefront markup; and
  • app installation and subscription status.

We only request the access scopes the app actually needs. If we add a feature that requires new scopes, Shopify will prompt the merchant for explicit approval before access is granted.

Customer and order data

Nivk.com is designed to operate without customer personal data. We do not access end-shopper identities, order contents, addresses, payment details, or other protected customer information unless a specific feature explicitly requires it and the merchant has approved the corresponding Shopify scope at install. If such a feature is ever introduced, this Privacy Policy will be updated and the merchant will see the additional scope request in Shopify before granting access.

Data merchants give us directly

When a merchant signs up, configures the app, or contacts us, we may collect: business name, store name and URL, contact email, role, onboarding and configuration choices, support messages, and subscription/billing status returned by Shopify.

AI processing and third-party providers

To deliver the service we process store data using AI/LLM inference, cloud hosting, databases, email delivery, error monitoring, and analytics providers acting as our processors. We use these providers only to operate, secure, and improve the Nivk.com Shopify app.

We do not sell merchant or store data. We do not use merchant or store data to train, fine-tune, or improve any AI model — our own or any third party's. Where AI providers are used, we operate under their no-training / no-data-retention terms applicable to API customers, or equivalent contractual protections, so the merchant's data is not added to any provider's training corpus.

Sub-processor changes

We may add or change sub-processors as the service evolves. Where required by applicable law or by the contract with the merchant, we will give advance notice of material sub-processor changes by in-app notice or by email to the merchant's registered support contact, so that merchants who need to object have an opportunity to do so.

Shopify mandatory compliance webhooks

As required by Shopify's Partner Program Agreement, the Nivk.com app supports Shopify's mandatory privacy and compliance webhooks:

  • customers/data_request — we respond to merchant-forwarded customer data access requests with any data we hold linked to the customer identifier (or confirm that we hold none) within 30 days of receipt.
  • customers/redact — we delete any customer-linked personal data we hold for the specified customer within 30 days of receipt.
  • shop/redact — Shopify sends this webhook approximately 48 hours after a merchant uninstalls the app. On receipt we delete shop-linked data we no longer need to retain for legal, billing, security, or anti-abuse reasons within 30 days.

Retention, uninstall, and deletion

We retain merchant and store data only for as long as needed to provide the service, comply with legal obligations, resolve disputes, prevent abuse, and honor Shopify's deletion webhooks. Uninstalling the app from Shopify triggers our deletion workflow on the schedule required by Shopify.

Merchant rights and contact

Merchants may request access to, correction of, deletion of, or restriction on processing of their personal data by contacting [email protected]. Customer data requests should be initiated through the merchant's Shopify admin so that Shopify can forward the request to us via the compliance webhooks listed above.

International transfers and security

Merchant and store data may be processed outside the merchant's country or region by our processors with appropriate safeguards where required by law (for example, Standard Contractual Clauses for transfers out of the EEA / UK). We protect data with encryption in transit (TLS), encryption at rest for stored merchant and store data, access controls, the principle of least-privilege staff access, audit logging where applicable, and other reasonable technical and organizational safeguards.

Data breach notification

In the event of a personal data breach affecting merchant or store data processed through the Nivk.com Shopify app, we will notify the affected merchant without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in line with GDPR Art. 33. Notice will include the nature of the breach, likely consequences, measures taken or proposed to address it, and a contact point for further information.

Data Processing Addendum (DPA)

For merchant personal data that Nivk.com processes on the merchant's behalf, this Privacy Policy together with the Terms of Service serve as the Data Processing Addendum under GDPR Art. 28 and comparable laws. A separately countersigned DPA is available on request to [email protected] for merchants whose procurement processes require one.

1. Who We Are

The controller responsible for the processing described in this Privacy Policy is:

Nivk GmbH

Wolfsweg 19

74321 Bietigheim-Bissingen

Germany

Email: [email protected]

If you have questions about this Privacy Policy or wish to exercise your privacy rights, you can contact us using the details above.

2. Our Role: Controller or Processor

Depending on the context, Nivk may act either as a controller or a processor.

2.1 When we act as controller

We act as controller when we process personal data for our own purposes, including to:

  • operate our websites and Services;
  • manage accounts, subscriptions, and billing;
  • provide customer support;
  • communicate with prospects, customers, and users;
  • secure and improve our Services;
  • manage marketing and business relationships where permitted by law; and
  • comply with legal obligations and enforce our rights.

2.2 When we act as processor

Where we process personal data on behalf of a business customer in order to provide the Services, including through our Shopify app and related integrations, we generally act as a processor or service provider and process such personal data on the customer's documented instructions.

Where required by applicable law, such processing is governed by a separate data processing agreement or applicable contractual data protection terms.

3. Categories of Personal Data We Process

Depending on how you interact with us and which features are used, we may process the following categories of personal data.

3.1 Business contact and account data

  • name
  • business email address
  • company name
  • job title or role
  • business phone number
  • account credentials
  • account preferences and settings

3.2 Commercial and billing data

  • subscription details
  • contract and order information
  • billing address
  • invoice data
  • payment status
  • transaction records
  • communications relating to purchases, renewals, and support

We do not store full payment card details where payments are handled by third-party payment providers.

3.3 Shopify app and store-related data

If a customer installs or uses our Shopify app or otherwise connects a Shopify store or related system to our Services, we may process data necessary to provide the relevant functionality, such as:

  • store identifiers and store settings
  • merchant contact details
  • product, collection, page, and blog content
  • content metadata
  • generated drafts and published content
  • configuration data
  • usage events and actions taken within the app
  • technical integration data, tokens, or credentials necessary to connect authorized services

Depending on the permissions granted and features used, this may include data contained in store content or systems made available to us by the customer.

3.4 Usage, log, device, and technical data

  • IP address
  • browser type and version
  • operating system
  • device type
  • language and region settings
  • timestamps
  • log data
  • error and diagnostic data
  • pages viewed
  • actions taken within our websites, app, or platform

3.5 Communications and support data

  • emails
  • contact form submissions
  • chat messages
  • support tickets
  • meeting notes
  • call notes
  • other correspondence or materials you send to us

3.6 Marketing and preference data

  • newsletter preferences
  • event registration data
  • marketing engagement data
  • cookie and consent choices

4. How We Collect Personal Data

We collect personal data:

  • directly from you;
  • from your employer or organization;
  • when you create an account or use our Services;
  • when you install or use our Shopify app;
  • from Shopify or other integrations you authorize;
  • from payment providers and other service providers involved in the Services;
  • from publicly available professional or business sources; and
  • automatically through cookies, logs, and similar technologies.

5. Purposes and Legal Bases for Processing

We process personal data only where we have a valid legal basis under applicable law.

5.1 To provide and operate the Services

We process personal data to create and manage accounts, provide the platform and Shopify app, analyze stores and content, generate suggestions and drafts, support publishing workflows, operate integrations, and provide customer support.

Legal basis: performance of a contract, steps prior to entering into a contract, and/or legitimate interests.

5.2 To manage subscriptions, billing, and the customer relationship

We process personal data to manage commercial relationships, process invoices, administer subscriptions, handle renewals, and maintain customer records.

Legal basis: performance of a contract, legal obligation, and/or legitimate interests.

5.3 To communicate with you

We process personal data to respond to enquiries, provide support, send administrative and service-related communications, and communicate about demos, onboarding, and account matters.

Legal basis: steps prior to entering into a contract, performance of a contract, and/or legitimate interests.

5.4 To secure, maintain, and improve the Services

We process personal data to maintain the availability, security, and stability of our Services, monitor performance, troubleshoot issues, prevent misuse, detect fraud, and improve product functionality.

Legal basis: legitimate interests and, where required, consent.

5.5 To send marketing and business communications

We may process personal data to send newsletters, event invitations, product updates, and similar business communications where permitted by applicable law.

Legal basis: consent where required, and/or legitimate interests where permitted by law.

You may object to direct marketing at any time or unsubscribe using the link in the relevant message.

5.6 To comply with legal obligations and protect our rights

We may process personal data where necessary to comply with legal, tax, accounting, regulatory, or law-enforcement obligations, or to establish, exercise, or defend legal claims.

Legal basis: legal obligation and/or legitimate interests.

6. Shopify App, Store Data, and Customer Responsibility

Our Services are designed for merchants and businesses, including through a Shopify app and related integrations.

Where a customer installs our app or connects a Shopify store, we may process store and content-related data to:

  • analyze the store and its existing content;
  • generate SEO-related recommendations, drafts, and blog content;
  • support publication workflows to the customer's Shopify store;
  • provide support and troubleshooting; and
  • maintain the security and functionality of the Services.

Depending on the customer's settings and instructions, content may be drafted for review and approval and, where enabled by the customer, may also be published automatically through the customer's Shopify environment.

The customer is responsible for:

  • ensuring it has the right to provide data to us and instruct us to process it;
  • reviewing and approving content where appropriate for its business;
  • ensuring its use of generated or published content complies with applicable law, platform rules, and its own obligations to third parties.

Processor role and customer instructions

Where we process personal data from a customer's Shopify store or connected systems on that customer's behalf, we do so only as necessary to provide the relevant Services, based on the customer's configuration, use of the Services, and documented instructions. We do not use such data for unrelated purposes where we act solely as a processor or service provider for the customer.

7. AI-Supported Features

Our Services may include AI-supported analysis, drafting, recommendation, and content-generation features.

To provide these features, we may use third-party service providers under contractual safeguards.

Customers and users should not input personal data into prompts or content fields unless they have a valid legal basis to do so and such input is necessary for the intended use of the Services.

We do not use solely automated decision-making, including profiling, to make decisions that produce legal effects or similarly significant effects on individuals.

8. Cookies and Similar Technologies

We use cookies and similar technologies on our websites and, where relevant, within our Services.

8.1 Essential cookies

These cookies are necessary for the operation, security, and core functionality of our websites and Services.

8.2 Analytics cookies

These cookies help us understand how visitors and users interact with our websites and Services so we can improve performance, content, and usability.

8.3 Marketing cookies

These cookies may be used to measure campaign performance and support relevant marketing activities.

Where required by law, analytics and marketing cookies are only used after you provide consent through our cookie banner or settings tool.

You can change or withdraw your cookie preferences at any time through the cookie settings mechanism made available on the relevant website.

9. How We Share Personal Data

We do not sell personal data.

We may share personal data with the following categories of recipients where necessary:

  • hosting and infrastructure providers;
  • payment service providers;
  • communications, CRM, and support providers;
  • analytics providers;
  • security and fraud-prevention providers;
  • AI and automation service providers used to support the Services;
  • professional advisers such as lawyers, accountants, auditors, and insurers;
  • subprocessors and service providers engaged to help us provide the Services;
  • regulators, courts, law enforcement, and public authorities where required by law; and
  • parties involved in a corporate transaction such as an investment, restructuring, merger, acquisition, or sale of assets.

We may also share personal data with Shopify and other integrations authorized by the customer where this is necessary to provide the Services or follow customer instructions.

10. International Data Transfers

Because we serve customers internationally and may use service providers in different countries, personal data may be transferred to and processed outside the country in which it was originally collected.

Where required by applicable law, we use appropriate safeguards for such transfers, including:

  • adequacy decisions;
  • standard contractual clauses; or
  • other legally recognized transfer mechanisms.

You may contact us for more information about the safeguards relevant to a particular transfer.

11. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

In general:

  • account and customer relationship data are retained for the duration of the relationship and for a reasonable period thereafter;
  • billing and transaction records are retained for the period required under applicable tax and accounting laws;
  • support and communication records are retained for as long as reasonably necessary to handle the matter and maintain business records;
  • technical logs and diagnostics are retained for a limited period appropriate to security, troubleshooting, and operational needs;
  • backup data may remain in backup systems for a limited period before being overwritten or deleted in the ordinary course.

We may retain data for longer where necessary to comply with legal obligations or to establish, exercise, or defend legal claims.

12. Your Rights

Subject to applicable law, you may have the right to:

  • request access to your personal data;
  • request rectification of inaccurate or incomplete data;
  • request deletion of your personal data;
  • request restriction of processing;
  • object to certain processing, including direct marketing;
  • request portability of your personal data;
  • withdraw consent at any time where processing is based on consent; and
  • lodge a complaint with a competent supervisory authority.

To exercise your rights, please contact us at [email protected].

We may request information reasonably necessary to verify your identity before responding to your request.

Requests relating to customer-controlled data

Where we process personal data on behalf of a business customer as a processor or service provider, individuals may need to direct certain requests relating to that data to the relevant customer in the first instance. We will assist our customers with such requests where required by applicable law or contract.

13. Marketing Communications

If you receive marketing communications from us, you can unsubscribe at any time by using the unsubscribe link in the message or by contacting us at [email protected].

Please note that we may still send service-related, transactional, or legally required communications where necessary.

14. Security

We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure.

However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Users are responsible for maintaining the confidentiality of their credentials and for using the Services securely.

15. Third-Party Services and Links

Our websites or Services may contain links to third-party websites, services, or integrations. This Privacy Policy does not apply to those third parties, which remain subject to their own terms and privacy notices.

We recommend reviewing the privacy notices of third-party services you choose to use.

16. Children

Our Services are intended for business users and are not directed to children.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or business developments.

When we do so, we will update the "Last updated" date above and publish the revised version on our website. Where required by law, we will provide additional notice.

18. Contact

If you have questions about this Privacy Policy or our data practices, please contact us at:

Nivk GmbH

Wolfsweg 19

74321 Bietigheim-Bissingen

Germany

Email: [email protected]

Nivk.com

Never miss an update

Get the latest GEO insights and Shopify growth strategies delivered to your inbox.

No spam. Unsubscribe anytime.